The GDPR: What You Need to Know About Europe’s Toothy New Privacy Law

There has been a lot of news about individual privacy on the web, particularly concerning social media and commercial uses of data. Here in the United States, we were confronted most recently with the Cambridge Analytica data scandal, which has sparked a public conversation about the protection of personal data online.

Public discourse concerning individual rights to privacy, and the legislation to support it, has deeper roots in Europe, so it is not surprising that the most recent regulations regarding the protections of personal data come from that continent. The adoption of the strictest online privacy laws to date in the European Union, known as the General Data Protection Regulation (GDPR), has been making waves across the world as businesses scramble not only to comply, but to determine if the far-reaching statutes even apply to them.

The big question is: what does the GDPR mean for your US-based website and business? We’re here today to clarify all things GDPR and help you make sure your business is protected.

What is the GDPR?

The General Data Protection Regulation is the latest personal data protection legislation to come out of the European Union. The GDPR aims to bring existing European laws concerning personal privacy, identity, and data into the digital age.

The GDPR requires an unprecedented level of consumer data safeguarding that places the onus of data protection onto the companies collecting it, rather than the individuals supplying it.

Here is a quick breakdown of the benefits afforded consumers through the GDPR:

Consent for the collection of consumer data must be freely given, informed, and unambiguous.

Users have the right to access all personal data, and know how it is being used and why.

Companies must protect all personal identifying data such as cookies or IP addresses with the same stringency as names, addresses, credit card information, and Social Security numbers.

Consumers may request their personal data be deleted at any time.

Mandatory communications concerning breaches of data much be issued within 72 hrs. of an event.

Companies must put concerns about privacy first when creating new systems, not as an afterthought.

If you pay close attention to discussions about online privacy you might ask what all the fuss is about. On the surface, these new regulations don’t appear to differ all that much from the European Union’s 1995 regulations concerning personal data. However, you’ll find that the GDPR differs from previous legislation in two main ways: 1) in the enforcement of fines, and 2) in its increased territorial scope.

Why Does Compliance Matter?

The GDPR’s strict requirements for the protections of personal data are not necessarily new to European companies, but the consequences of non-compliance are. Failure to comply with the GDPR can see fines levied of 20 million Euros (around $24 million), or 4% of a business’s annual revenue, whichever is higher. This means companies who treat the GDPR casually risk toothy penalties.

Why Have I Been Hearing so Much About the GDPR in the U.S.?

News of the GDPR has many U.S. based companies worried due to the inclusion of new and extensive “extra-territorial applicability”.

Unlike previous European data protection laws, the GDPR applies to all companies processing the data of those living in the European Union. A company falls under the jurisdiction of the GDPR by offering a good or service to EU citizens, or even monitoring online behavior taking place in the EU, regardless of location.

Under the increased territorial scope of the law, a U.S.-based company engaging in any type of data collection on those using the internet in the EU is subject to the restrictions of the GDPR. A financial transaction does not have to take place to collect the types of data that will trigger the protections of the GDPR.

The increased territorial scope of the law is the most important aspect of the GDPR for U.S.-based companies to consider. Companies outside the EU must now carefully evaluate their online presence to determine whether the GDPR applies to them.

What does this mean for my U.S.-based business?

There is a lot of confusing information out there about how the GDPR will affect U.S.-based small businesses, and only time will tell how the EU intends to define and pursue non-compliance. While more explicit than past regulations, the exact intent of the GDPR is still murky in some areas. Let’s explore.

The GDPR most certainly applies to your U.S. business in these situations:

You are a business that sells or ships a good or service to users located in the EU through your website.

You are a non-profit that offers complimentary services through an email sign-up form on your website that serves users located in the EU.

You directly market web content to users in the EU through language-targeted landing pages, accept the currency of that country, or use country-based domain suffixes.

You use cookies to track and make predictions about the behavior of users residing in the EU.

These scenarios make sense because goods, services, and content are being offered to EU residents in exchange for personal identifying data. But is every website in the world using Google Analytics or web-based contact forms required to comply with the GDPR simply because a user from Europe could access their site? Let’s take a deeper look.

Case Study

Take the case of a locally owned and operated HVAC company in Gainesville, FL. This company has a robust local web presence selling its HVAC installation and repair services in the North Central Florida area. They use a web-based contact form that is the source of almost all their new business leads.

Anyone who has used Google Analytics knows that web traffic shows up from all over the world, even in the case of the most localized content. Is this HVAC company required to comply with the GDPR simply because a user from Belgium stumbled across their site and gave their information through a contact form?

It seems that this locally operating HVAC company would be unfairly burdened with GDPR compliance when they have no intention, or even means to, offer their services outside of the North Central Florida area.

This is where interpreting GDPR becomes slightly more complicated. Use of generic, global marketing tools like web-based contact forms and Google Analytics alone should not be enough to trigger the GDPR. A website’s content must actively pursue EU subjects, in conjunction with other forms of generic data collection, for the GDPR to apply. Thus, the new regulations would not apply to this HVAC company solely based on their site being used by a European visitor.

Where Do We Go From Here?

Even if your business doesn’t fall under the jurisdiction of the new European data regulations, you can expect to see changes in the way U.S.-based companies handle data because of these new personal privacy standards.

Think of California-based emissions laws. It turned out to be easier for car manufacturers to comply with the more stringent CA regulations across the board, rather than manufacture separate models for each different market. In the same way, you will see companies applying GDPR protections across the board, rather than building separate products for their European customers.

Additionally, proving to your clients that you are compliant with new data protections not only helps you avoid steep fines as the EU flexes its territorial reach, it also demonstrates a commitment to earning trust. In the future, good practices will mean only collecting, using, and storing personal identifying information that applies to your current business aims, rather than allowing mounds of vulnerable data to sit in long forgotten databases waiting to be compromised.

Experts disagree on the future of privacy laws in the U.S., some say it is only a matter of time, while others argue regulations resembling the GDPR will never be enacted here. Either way, companies have very little to lose by closely reexamining their data collection practices to ensure sure they are only collecting the exact data necessary to provide the best user experience possible.

Fine Print

We are your experts on digital marketing, but we are not lawyers! The content of this article is not meant to constitute legal advice regarding GDPR compliance. You can read more about the GDPR here and here.